1221292 – (CVE-2024-26613) VUL-0: REJECTED: CVE-2024-26613: kernel: net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv

Bug 1221292 (CVE-2024-26613) - VUL-0: REJECTED: CVE-2024-26613: kernel: net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv

Summary: VUL-0: REJECTED: CVE-2024-26613: kernel: net/rds: Fix UBSAN: array-index-out-...

Status:	RESOLVED DUPLICATE of bug 1219127

Alias:	CVE-2024-26613

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/397152/
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2024-03-12 12:51 UTC by SMASH SMASH
Modified:	2024-03-12 13:46 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description SMASH SMASH 2024-03-12 12:51:10 UTC

In the Linux kernel, the following vulnerability has been resolved:

net/rds: Fix UBSAN: array-index-out-of-bounds in rds_cmsg_recv

Syzcaller UBSAN crash occurs in rds_cmsg_recv(),
which reads inc->i_rx_lat_trace[j + 1] with index 4 (3 + 1),
but with array size of 4 (RDS_RX_MAX_TRACES).
Here 'j' is assigned from rs->rs_rx_trace[i] and in-turn from
trace.rx_trace_pos[i] in rds_recv_track_latency(),
with both arrays sized 3 (RDS_MSG_RX_DGRAM_TRACE_MAX). So fix the
off-by-one bounds check in rds_recv_track_latency() to prevent
a potential crash in rds_cmsg_recv().

Found by syzcaller:
=================================================================
UBSAN: array-index-out-of-bounds in net/rds/recv.c:585:39
index 4 is out of range for type 'u64 [4]'
CPU: 1 PID: 8058 Comm: syz-executor228 Not tainted 6.6.0-gd2f51b3516da #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS 1.15.0-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x136/0x150 lib/dump_stack.c:106
 ubsan_epilogue lib/ubsan.c:217 [inline]
 __ubsan_handle_out_of_bounds+0xd5/0x130 lib/ubsan.c:348
 rds_cmsg_recv+0x60d/0x700 net/rds/recv.c:585
 rds_recvmsg+0x3fb/0x1610 net/rds/recv.c:716
 sock_recvmsg_nosec net/socket.c:1044 [inline]
 sock_recvmsg+0xe2/0x160 net/socket.c:1066
 __sys_recvfrom+0x1b6/0x2f0 net/socket.c:2246
 __do_sys_recvfrom net/socket.c:2264 [inline]
 __se_sys_recvfrom net/socket.c:2260 [inline]
 __x64_sys_recvfrom+0xe0/0x1b0 net/socket.c:2260
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x40/0x110 arch/x86/entry/common.c:82
 entry_SYSCALL_64_after_hwframe+0x63/0x6b
==================================================================

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-26613
https://www.cve.org/CVERecord?id=CVE-2024-26613
https://git.kernel.org/stable/c/00d1ee8e1d02194f7b7b433e904e04bbcd2cc0dc
https://git.kernel.org/stable/c/0b787c2dea15e7a2828fa3a74a5447df4ed57711
https://git.kernel.org/stable/c/13e788deb7348cc88df34bed736c3b3b9927ea52
https://git.kernel.org/stable/c/344350bfa3b4b37d7c3d5a00536e6fbf0e953fbf
https://git.kernel.org/stable/c/5ae8d50044633306ff160fcf7faa24994175efe1
https://git.kernel.org/stable/c/71024928b3f71ce4529426f8692943205c58d30b
https://git.kernel.org/stable/c/7a73190ea557e7f26914b0fe04c1f57a96cb771f
https://git.kernel.org/stable/c/a37ae111db5e0f7e3d6b692056c30e3e0f6f79cd

Comment 1 Gabriele Sonnu 2024-03-12 12:59:06 UTC

Same fix as bug 1219127 / CVE-2024-23849, marking it as a duplicate.

*** This bug has been marked as a duplicate of bug 1219127 ***

Comment 2 Robert Frohl 2024-03-12 13:46:51 UTC

REJECTED:

https://lore.kernel.org/linux-cve-announce/20240312134338.1516998-2-lee@kernel.org/T/#u